TECHNICAL

x64dbg usage log: start debugging and modify a program

Explore the comprehensive guide by fairycn on how to master x64dbg on Windows 11, from installation to advanced debugging techniques, ensuring effective program modifications and insightful CPU disassembly analysis.

fairycn

Aug 30, 2023 • 8 min read

Jose Elgueta, a graphic designer, is deeply devoted to the arts of painting, illustration, and muralism. Continuously striving to hone his graphic and artistic expressions, he possesses a profound fascination with Latin-American shamanic themes. Through his journey, he has crafted a unique visual language, unveiling a world of forms and colors yet to be discovered by others.

Environmental information

Windows 11, x64dbg, test program

x64dbg settings

Website: https://x64dbg.com/
GitHub: https://github.com/x64dbg/x64dbg
sourceforge: https://sourceforge.net/projects/x64dbg/files/snapshots/
Note: The latest release files can be obtained from the releases page of the x64dbg GitHub project or from sourceforge
Current version file: snapshot_2022-12-12_15-45.zip
Unpacked file directory information

Note: x64dbg renamed from snapshot_2022-12-12_15-45

Installation

Go to the release directory

Run the x96dbg.exe executable to start the installation behaviour for later debugging
Note: As the installation will perform some system setup operations, a user account control prompt will be triggered

Click Install in the Launcher pop-up window to install

Note: The x32dbg and x64dbg buttons can run x64dbg for the relevant platform. x64dbg and the program being debugged need to be of the same number of bits in order to debug and the additional debugging function of x64dbg will only show programs of the same platform.

The relevant installation setup options are
shell extension - selecting yes will add a right-click menu, when right-clicking on the program being debugged in this way, it will recognise the bit number of the program and open it with the same bit number as x64dbg for debugging.

Note: Windows 11 systems need to right click and then click on more options (Shift F10) to see the relevant methods.

Desktop --- select yes to create two shortcuts to the desktop (x64dbg for different platforms)

database icon --- select yes to set a logo for the x64dbg database files (dd32, dd64) for easy identification

Click OK to complete the installation

Event settings
Options --- Preferences

For this debugging check the following options, which can be adjusted according to different needs

Language settings
Options ---languages---target language ---- will need to be restarted to take effect after the change.
The first run will set the default language according to the system

Example: The system language is Chinese, the configuration file generated after the first run, the corresponding value of the language parameter is zh_CN

Font settings
Options---Appearance

Test procedures

Source.c

#include <stdio.h>
int main()
{
    int a;
    printf("Please input a number:\n");
    int x = scanf_s("%d", &a);
    printf("%d\n", x);
     if (a % 5 == 0 && a % 7 == 0 && a >1 && a <200)
            printf("yes\n");
    else
            printf("no\n");
    return 0;
}

Start of commissioning

Entry breakpoint.
Note: The linker entry is shown at this point so it is not the same as the assembly corresponding to the code, and it is not yet running to the virtual memory address corresponding to the representative

Some of the debugging information generated by the software can be viewed in Log

In the case of a program database file (.pdb), you can quickly locate the main function in the Symblos area

The assembly code area corresponding to the main function

Locating the "relevant" assembly representation area
Some debugging may be carried out without the relevant program database file (.pdb), in which case some strings or displayed functions may be used to guess that certain functions are used to locate the relevant area, or may be decompiled to aid debugging

Example: After running the program the following string is displayed ---Please input a number:

CPU disassembly code area right click --- Search --- All user modules --- String type

You can see the relevant string information and the corresponding virtual memory address

Double click on the relevant area to go quickly to the relevant assembly code area

At this point, you can use the progress bar or the mouse wheel to move up to view the relevant assembly code

Based on the information displayed in the assembly area, you can see that the virtual address for the string Please input a number: is 140002260
You can go to this address to change the data

Data modification

Right click on the region box

Edit the content of the interface to see the information corresponding to the parsing of the UTF-8 region

Modify

Modified state

Note: Because the default of the disassembly area is to read and parse the content in memory into the relevant assembly code, but in reality these are data content non-relevant instructions, so in the edit interface to string code parsing characters and the expected effect or modify the parsing method in some areas to match the expected situation.

Restore modifications

At this point you can click the Restore button to restore the modified data to the pre-modification data

Temporary modification test, click the restart button to reload the program

After the entry breakpoint is paused because I compiled with the address random protection turned off, so enter the previous address can be, the following figure is the effect of the modification
Note: If there is a relevant protection function, you need to search again before going to edit.

Exporting changes

Export the modified binary file
File button

If no changes are made, just click on the Patch File button.

Afterwards, just name it and save it
Note: Do not name it the same as the original name, so it is being used at the time.

Modify the execution flow, by observing the assembly code, see a jne judgment, analysis and some output related, at this time can be in the relevant command under the breakpoint

Pause at the jne judgment command after the input value is confirmed

The result after execution

You can double click on the relevant call to go to the entry address of the called function to see the relevant analysis of the assembly code

Simple analysis

When jne is executed it will read the "no\n" data into rcx and then call 140001020 to process it (see the symbolic parsing call to the printf function to print out the string) and implement the function to output the read data
Modify the assembly instruction.
According to the previous analysis we know that when the two jne in this area do not jump, jump at jbe can output yes
Right click on the line where the instruction needs to be modified and select assembly

Modifying assembly instructions

Modify jne to judge the opposite assembly instruction je
Modify jbe to reverse the assembly instruction ja/jbne

Test verification
Jump not execute

Jump not executed

Execute on jump

Resulting output

Changing the flag register

Of course, you can also change the value of the corresponding flag register to influence the result of the instruction to test the purpose
zf=0 jne jumps

zf=1 jne does not jump

Note information

To facilitate debugging, comments are also added to the relevant command lines to record the relevant functions tested/guessed for subsequent analysis
Right click on the line where the command is located

The result of adding the comment is the same as the comment information that can be modified by selecting the relevant function here after it has been added：

Environmental information​

x64dbg settings​

Installation​

Test procedures​

​

Start of commissioning​

Data modification​

Restore modifications​

Exporting changes​

Simple analysis​

Modifying assembly instructions​

Changing the flag register​

Note information​